Equifax CEO Blamed Single Person For Breach

Former Equifax CEO Richard Smith told Congress Tuesday that the massive breach that exposed the personal information of more than 145 million U.S. consumers was the result of a failure by a single individual.

Speaking to the House Energy and Commerce Committee, the resigned executive who headed the credit reporting firm during the breach was pressed by members of Congress on a number of issues, including how the breach occurred, why it took so long for the company to notify the public and what Equifax will do going forward to protect the consumers they exposed.

The biggest revelation of Smith’s testimony, which primarily consisted of the former CEO restating information provided in his written testimony, was the apparent fact that a lone individual was responsible for making sure the company’s systems were properly patched in a timely manner.

Smith explained the day after Equifax received a notification from the United States Computer Emergency Readiness Team (CERT), the security team “notified a wide range of people in the technology team who were responsible for then finding the vulnerability, applying the patch, and days later—as is typical protocol—deploy the technology scanner that looks for the vulnerability.”

Despite following those procedures, the CEO said “both human deployment of the patch and scanning deployment did not work,” while noting that “the protocol was followed.”

Smith continued by saying “the human error was the individual who is responsible for communicating in the organization to apply the patch did not.” Smith didn’t note who the individual was, but said the person who knew the patch needed to be applied did not communicate with the team that does the patching about the vulnerability.

A scanning mechanism that was intended to search Equifax’s system and identify if the exploit was still present also failed to identify the vulnerability, which left the company vulnerable and allowed the breach to occur. Smith admitted the scan is configured by a user to know what to search for and it is possible that the person operating the scan failed to properly configure it.

“The reason why the scanner technology piece did not locate the vulnerability is still under investigation by outside counsel,” Smith said.

The former CEO also noted that suspicious activity and attempted security breaches were not uncommon for the company. “We do have a lot of data and our primary role is to protect that data. We have experienced millions of suspicious activity against our database any given year,” he said.

When asked by Congressman Greg Walden, R-OR, why if such an event happens so regularly did the head of security bring it up to the CEO and why wasn’t it immediately taken seriously, Smith said being informed of suspicious activity “is not uncommon” for him.

“It’s not uncommon for us to engage forensic audit for instance, it’s not uncommon for us to engage outside counsel to help us think things through when there is suspicious activity,” he said.

The CEO provided a full timeline of events related to the breach prior to the hearing but appeared fuzzy on the exact dates and information when pressed by members of the committee.

Smith floundered when asked if he knew there was personally identifiable information (PII) stolen as a result of the breach on August 17—the same date that he gave a speech at a college in which he called fraud a “a huge opportunity for Equifax,” and said it was a “massive, growing business for us.”

When asked about that speech by Congressman Frank Pallone, D-NJ, Smith insisted he had no knowledge of consumer PII being stolen until after he gave the talk. “At the time I gave that speech, I did not know the size or scope of the breach,” Smith said.

Later when asked by Congressman Ben Ray Luján, D-NM, the former CEO admitted to being made aware that “that criminal hackers gotten into our system and had some PII” as early as August 15.

Smith also struggled to explain the difference between a credit lock and a credit freeze while advertising Equifax’s new security feature that it will roll out in January 2018. The service will be a free mobile application that will allow users to lock and unlock their credit account as frequently as they would like without any fee.

When asked by Congressman Luján about the difference between a lock and a credit freeze, Smith said, “there is a process that is a little different, but as far the consumer and the protection that he or she would get from doing one versus the other, is virtually if not exactly the same.”

He later told Congresswoman Doris Matsui, D-CA, that there is no difference for consumers when it comes to a lock or a freeze, suggesting there may be a difference for Equifax in how the two different services are handled. Smith did not add any additional detail other than noting the lock service would be available on mobile device and easier for consumers to access.

Smith also dodged providing a direct answer when Congressman Pallone asked if the new lock feature would require users to consent to Equifax sharing or selling their information with third-party companies for marketing and other purposes.

“We’re trying to change the paradigm. This will be an environment viewed as a service, a utility, not a product. We aren't cross-selling, up-selling any products available to the consumer. When they go to get inside of the lock product, that is a service to them, and that is the only service they will get,” Smith said, while not confirming or denying that consumer data may be shared or sold.

The former CEO admitted failure a number of times throughout the hearing, though many of the members of the House Energy and Commerce Committee seemed to be unmoved by Smith’s apologies and called for more members of Equifax’s executive leadership, including the chief information officer and chief legal officer, to testify in front of Congress.

Some members of the committee floated the possibility of regulations on companies to punish them if they suffer a data breach and to provide consumers with more recourse if they are affected by the mistake of an organization—especially in a case like Equifax, in which many consumers did not willingly provide the stolen data to the company.

“I think there is a role for businesses to do more, for the industry to do more,” Smith said in response to the possibility of additional regulation. “If there is particular legislation that arises out of this horrific breach, I’m sure you’ll find management at Equifax and the industry willing to work and cooperate with regulators.”

Smith also suggested it was time for the U.S. to move beyond Social Security numbers as a primary identifier and start to think of new ways to identify consumers that would be more secure and less easy to compromise.

In an attempt to prevent the person from committing suicide, Avleen K. Mokha in her Facebook post wrote, "Don't go ahead with this tonight. There's more in life to look forward to beyond tonight. Please be there to see it."